b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                           Monitoring of PRIME Contractor\n                            Access to Networks and Data\n                               Needs to Be Improved\n\n\n\n                                         September 2005\n\n                              Reference Number: 2005-20-185\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Web Site          | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                      WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             September 29, 2005\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                CHIEF, MISSION ASSURANCE AND SECURITY SERVICES\n                DIRECTOR, PROCUREMENT\n\n\n\n FROM:                        Pamela J. Gardiner\n                              Deputy Inspector General for Audit\n\n SUBJECT:                     Final Audit Report \xe2\x80\x93 Monitoring of PRIME Contractor Access to\n                              Networks and Data Needs to Be Improved (Audit # 200520002)\n\n This report presents the results of our review of the monitoring of contractor access to networks\n and data. The overall objective of this review was to determine whether Internal Revenue\n Service (IRS) management implemented adequate controls over the PRIME contractor\xe2\x80\x99s1 access\n to IRS networks and data.\n The IRS has about 900 contracts with private contractors. Many of these contractors must be\n given access to IRS computer systems and taxpayer data to complete their tasks, particularly\n those tasks that involve developing sensitive computer systems and providing computer\n hardware and software. In accordance with the Federal Information Security Management Act\n (FISMA),2 contractors are subject to the same security standards, guidelines, and oversight that\n are required for Federal Government agencies. Without adequate oversight by the IRS, there is a\n significant risk of misuse or disclosure of confidential data as well as possible sabotage to these\n critical systems.\n In March 2004, we reported3 that contractors were not complying with certain IRS security\n procedures and IRS procurement officials were not aware of the security regulations pertaining\n\n\n 1\n   The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\n companies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\n information technology.\n 2\n   Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n 3\n   Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated\n March 2004).\n\x0c                       Monitoring of PRIME Contractor Access to Networks\n                                 and Data Needs to Be Improved\n\n\n\nto the contractors they were assigned to oversee. In this audit, we followed up on prior\nrecommendations and focused on work performed by the PRIME contractor.\n\nSynopsis\nDuring Calendar Year 2004, PRIME contractor personnel claimed they were not being granted\ntimely access to systems, which affected their ability to efficiently perform their duties. As a\nresult, the IRS gave the PRIME contractor the authority to add, delete, and modify its own\nemployees\xe2\x80\x99 user accounts on IRS systems. Our review showed that the PRIME contractor added\n199 user accounts without any oversight by the IRS during this 1-year period. The IRS, by\nallowing the PRIME contractor to approve access for its own employees with no oversight, did\nnot comply with the FISMA.\nIn January 2005, to regain control of the PRIME contractor\xe2\x80\x99s access to IRS systems and data, the\nIRS assigned an employee to review all requests for PRIME contractor personnel to be added to\nor deleted from IRS systems. However, access was granted solely on the request of the PRIME\ncontractor with no justification required. We do not believe it is feasible to place this\nresponsibility with one person who could not possibly be aware of the PRIME contractor\xe2\x80\x99s\naccess needs for each contract.\nIRS procurement officials, specifically Contracting Officer\xe2\x80\x99s Technical Representatives (COTR),\nshould be responsible for granting contractor employees access to IRS systems. Our findings in\nthis audit indicate these Procurement function officials are still not fulfilling their\nresponsibilities. More actions are needed to ensure contractors\xe2\x80\x99 access to IRS systems is limited\nto those who need it to accomplish their responsibilities and is monitored to detect any\nunauthorized activity.\nThe IRS worked with the PRIME contractor during January 2005 to identify over\n1,000 separated contractor employees who no longer needed access but who could still sign on to\nIRS systems. As of May 2005, most of these accounts had been deactivated, but 160 of these\ncontractor employees still had access to IRS systems.\nWe also found no documentation to indicate the IRS was monitoring the activities of PRIME\ncontractor employees when they were accessing IRS systems. As a result, the risk of undetected\nsecurity violations is increased. A security specialist stated that audit trails are reviewed;\nhowever, the reviews are not documented.\nThe PRIME contractor has remote access to the IRS network so it can perform much of its\nsystems development and test procedures from its offices in the Maryland Technology Center in\nNew Carrollton, Maryland. We determined the data link between the PRIME contractor\xe2\x80\x99s\noffices and the IRS was properly encrypted and physical security at the Maryland Technology\nCenter was adequate.\n\n\n                                                                                                2\n\x0c                       Monitoring of PRIME Contractor Access to Networks\n                                 and Data Needs to Be Improved\n\n\n\n\nRecommendations\nWe recommended the Chief Information Officer, in coordination with the Director, Procurement,\nensure procurement officials obtain sufficient justification from the PRIME contractor before\nnetwork access is granted. Also, a quarterly review of the active access account list should be\nperformed to ensure accounts no longer needed are promptly disabled. In addition, the Chief,\nMission Assurance and Security Services, should ensure audit trail reviews of contractor activity\nare conducted as prescribed by IRS procedures.\n\nResponse\nThe IRS agreed with our recommendations. Management stated a Memorandum of\nUnderstanding has been drafted outlining the roles and responsibilities of each office involved in\nensuring contractor personnel gain access to only those systems needed to perform their work. A\nlist of applications needed by contractors will be provided for each PRIME contractor project\nand will be used by the IRS to determine whether contractors\xe2\x80\x99 access requests should be granted.\nThe Director, Procurement, will require the PRIME contractor to submit a list of terminated\nemployees and an active account list quarterly. The IRS COTR will identify any accounts that\nare no longer needed, and the PRIME System Access Manager will deactivate those accounts.\nThe Chief, Mission Assurance and Security Services, stated that all contractor activities in the\nPRIME contractor test and development environment will be subject to the same monitoring\ntools used on any IRS processing environment. In addition, specific instructions will be sent to\nadministrators of production environment systems directing them to include a review of user\naccess from the PRIME contractor test and development environment as a key component of\ntheir standard system auditing activities. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix IV.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                                   3\n\x0c                                Monitoring of PRIME Contractor Access to Networks\n                                          and Data Needs to Be Improved\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 2\n          Accesses to Systems Were Not Properly Authorized ...................................Page 2\n                    Recommendations 1 through 3:...........................................Page 5\n\n          Data Transfers Were Properly Encrypted .....................................................Page 5\n          Physical Security at the Maryland Technology Center Was Adequate ........Page 6\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 7\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 10\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 11\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 12\n\x0c                           Monitoring of PRIME Contractor Access to Networks\n                                     and Data Needs to Be Improved\n\n\n\n\n                                            Background\n\nThe Internal Revenue Service (IRS) has about 900 contracts with private contractors. Many of\nthese contractors must be given access to IRS computer systems and taxpayer data to complete\ntheir tests, particularly those tasks that involve developing sensitive computer systems and\nproviding hardware and software. In accordance with the Federal Information Security\nManagement Act (FISMA),1 contractors are subject to the same security standards, guidelines,\nand oversight that are required for Federal Government agencies. Without adequate oversight by\nthe IRS, there is a significant risk of misuse or disclosure of confidential data as well as possible\nsabotage to these critical systems.\nIn this audit, we focused on work performed by the PRIME contractor2 for the IRS. PRIME\ncontractor employees have access to critical equipment and systems to perform their duties. We\nevaluated the hardware and software access privileges, authentication requirements, monitoring\nof PRIME contractor activities, and security of connections between the PRIME contractor and\nthe IRS computer systems. We also evaluated the physical security for one contractor-owned\nwork facility that contained a computer network with access to the IRS enterprise network.\nThis review was performed in the Modernization and Information Technology Services (MITS)\norganization offices at the Martinsburg Computing Center3 in Martinsburg, West Virginia, and\nthe contractor-owned Maryland Technology Center (MTC)4 in New Carrollton, Maryland, during\nthe period November 2004 through May 2005. The audit was conducted in accordance with\nGovernment Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n1\n  Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n2\n  The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\ncompanies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\ninformation technology.\n3\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n4\n  The MTC, located adjacent to the New Carrollton Federal Building in New Carrollton, Maryland, is the principal\nsite at which the PRIME contractor develops and tests systems to support the IRS\xe2\x80\x99 modernization efforts.\n                                                                                                          Page 1\n\x0c                           Monitoring of PRIME Contractor Access to Networks\n                                     and Data Needs to Be Improved\n\n\n\n\n                                      Results of Review\n\nAccesses to Systems Were Not Properly Authorized\n\nTo reduce the risks of unauthorized access to Federal tax information, the IRS requires that\naccess to sensitive systems be limited to only those persons needing it to carry out their\nresponsibilities. The IRS requires employees to be formally authorized by a manager before\naccessing sensitive systems. For contractor personnel, the need to access sensitive systems must\nfirst be acknowledged by an IRS Contracting Officer\xe2\x80\x99s Technical Representative (COTR) who is\nresponsible for overseeing contractor activities. The COTR should then prepare the\ndocumentation to provide the contractor with access to the necessary IRS systems.\n\nAuthorizations for PRIME contractor accesses were not properly granted\n\nDuring Calendar Year 2004, the IRS granted proxy rights to the PRIME contractor that allowed\nit to add, delete, and modify its own employees\xe2\x80\x99 user\naccounts on IRS systems. The Business Systems                  The PRIME Contractor was\nModernization function of the MITS organization made this      granting access to its own\ndecision in response to a claim by PRIME contractor            employees with no oversight\npersonnel that they were not being granted timely access to    by the IRS.\nsystems, which affected their ability to efficiently perform\ntheir responsibilities.\nWe reviewed accesses granted for applications5 used by the PRIME contractor during 2004. Of\nthe 423 PRIME contractor personnel with user accounts for these applications, we identified:\n    \xe2\x80\xa2   User accounts added by the PRIME contractor without any approval or oversight by an\n        IRS COTR or manager (128 user accounts).\n    \xe2\x80\xa2   User accounts added without any approval from an IRS COTR or manager or from the\n        PRIME contractor (71 user accounts). Of the 71 user accounts, 52 were supported by an\n\n\n5\n We reviewed accesses for the Inventory Tracking Asset Management System (ITAMS) and the Integrated\nFinancial System (IFS) applications. The ITAMS provides tracking information on computer assets. The IFS\nprovides detailed financial, cost accounting, property accounting, and procurement data to authorized users. The\nIFS Release 1 implements the core processes of general ledger, accounts payable, accounts receivable, budget\nexecution, cost accounting, administrative tax and travel accounting, cost performance management allocations,\nsome tax processing functionality, budget formulation, and budget execution decision support.\n                                                                                                            Page 2\n\x0c                          Monitoring of PRIME Contractor Access to Networks\n                                    and Data Needs to Be Improved\n\n\n\n        unsigned Information System User Registration/Change Request (Form 5081). The IRS\n        had no documentation to show the other 19 user accounts had been added.\nAs a result, we could not determine who added the accounts to the systems or whether the need\nfor access was justified. The access decisions were made solely by the PRIME contractor. The\nPRIME contractor managers given responsibility for granting access could not provide\njustification for those decisions. We are coordinating with the COTRs responsible for\noverseeing contractor activities on the systems used by the PRIME contractor during 2004 to\ndetermine whether accesses by contractor personnel were justified.\nIn January 2005, to regain control of the PRIME contractor\xe2\x80\x99s access to IRS systems and data, the\nIRS appointed a MITS organization employee as the PRIME System Access Manager, to review\nall requests for PRIME contractor personnel to be added to or deleted from IRS systems. In the\nfirst 6 months after procedures were changed, 24 contractor personnel accounts were added to\nvarious applications. For each of the 24 accounts, access was granted by the PRIME System\nAccess Manager without acknowledgement from a COTR that access was needed. Accesses\nwere granted solely on the request of the PRIME contractor with no justification as to the need\nfor access. As a result, the IRS Manager granting access did not have sufficient information to\ndetermine whether the PRIME contractor employees needed access to complete their work or\nwhether the level of access being granted was proper for the work to be completed. We do not\nbelieve it is feasible to place this responsibility with one person who could not possibly be aware\nof the PRIME contractor\xe2\x80\x99s access needs on each contract.\nIn March 2004, we reported6 that contractors were not complying with certain IRS security\nprocedures and IRS COTRs were not aware of the security regulations pertaining to the\ncontractors they were assigned to oversee. In that report, we recommended the Chief, Mission\nAssurance and Security Services, and the Chief, Agency-Wide Shared Services, ensure the\nCOTRs carry out their responsibilities to periodically review contractor compliance with\nestablished security policies. Management\xe2\x80\x99s response stated the Mission Assurance and Security\nServices organization would review and update guidance for Contracting Officers and COTRs on\napplicable security policies. This guidance was distributed to the COTRs to assist them in\nmonitoring contractor activities.\nOur findings in this audit indicate that COTRs are still not fulfilling their responsibilities to\nreview contractor compliance with established security policies. More actions are needed to\nensure contractors\xe2\x80\x99 access to IRS systems is limited to those who need it to accomplish their\nresponsibilities and is monitored to detect any unauthorized activity.\nIn addition, the decision by Business Systems Modernization management to allow the PRIME\ncontractor to approve access for its own employees with no oversight from the IRS is contrary to\n\n\n6\n Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated\nMarch 2004).\n                                                                                                         Page 3\n\x0c                          Monitoring of PRIME Contractor Access to Networks\n                                    and Data Needs to Be Improved\n\n\n\nFISMA guidance. FISMA Section 3544(b) requires each agency to provide security over\n\xe2\x80\x9cinformation systems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source.\xe2\x80\x9d The Office of\nManagement and Budget (OMB) also states agencies must develop policies for information\nsecurity oversight of contractors and must review the security of other users with privileged\naccess to Federal Government data and systems.7\n\nPRIME contractor user accounts were not removed when access was no longer\nrequired\n\nIn January 2005, the IRS Procurement function asked the PRIME contractor to identify its\npersonnel who had either separated from the PRIME contractor or no longer worked on any of\nthe applications reviewed but could still sign on to IRS systems. The PRIME contractor\nidentified 1,045 of its employees meeting these specifications. As of May 2005, most of these\naccounts had been deactivated, but 160 of these contractor employees still had access to IRS\nsystems, increasing the risk of unauthorized disclosures and disruptions of operations. The IRS\nrequires that accounts be deactivated when there is no longer a business need to access an IRS\nsystem. The PRIME contractor did not comply with this requirement, and the IRS did not\nprovide sufficient oversight to ensure PRIME contractor user accounts were promptly disabled\nwhen no longer needed.\n\nMonitoring of PRIME contractor activity was not sufficient to determine whether\ndata were properly secured\n\nIRS policies require system activity to be monitored by\nproducing and reviewing audit trail data. We found no           We found no documentation that\ndocumentation to indicate the IRS personnel responsible         contractor activities on the IRS\n                                                                network are being monitored.\nfor the security of computer systems are reviewing audit\ntrails on computers used by the PRIME contractor. As a\nresult, the risk of undetected security violations is\nincreased. The security specialist stated that audit trail data are reviewed; however, the reviews\nare not documented.\n\n\n\n\n7\n Fiscal Year 2005 Reporting Instructions for the Federal Information Security Management Act and Agency\nPrivacy Management (OMB Memorandum M05-15, dated June 13, 2005).\n                                                                                                      Page 4\n\x0c                       Monitoring of PRIME Contractor Access to Networks\n                                 and Data Needs to Be Improved\n\n\n\n\nRecommendations\nRecommendation 1: The Chief Information Officer, in coordination with the Director,\nProcurement, should ensure COTRs obtain sufficient documentation from the PRIME contractor\nto justify access to IRS systems. Before granting access to a contractor employee, the PRIME\nSystem Access Manager should obtain acknowledgement from the respective COTR that the\naccess is needed.\n       Management\xe2\x80\x99s Response: Management agreed with this recommendation, stating\n       that a Memorandum of Understanding has been drafted outlining the roles and\n       responsibilities of each office involved in the process of ensuring contractors gain access\n       to only those systems needed to perform their work. A list of applications needed by\n       contractors will be provided for each PRIME project and will be used by the IRS to\n       determine whether contractors\xe2\x80\x99 access requests should be granted.\nRecommendation 2: The Chief Information Officer, in coordination with the Director,\nProcurement, should require the PRIME System Access Manager to review the active account\nlist quarterly for all applications used by the PRIME contractor to ensure accounts no longer\nneeded are promptly disabled.\n       Management\xe2\x80\x99s Response: Management agreed with this recommendation. The\n       Director, Procurement, will require the PRIME contractor to submit a list of terminated\n       employees and an active account list quarterly. The IRS COTR will identify any\n       accounts that are no longer needed, and the PRIME System Access Manager will\n       deactivate those accounts.\nRecommendation 3: The Chief, Mission Assurance and Security Services, should ensure\naudit trail reviews of contractor activity are conducted as prescribed by IRS procedures.\n       Management\xe2\x80\x99s Response: Management agreed with this recommendation. The\n       Chief, Mission Assurance and Security Services, stated that all contractor activities in the\n       PRIME contractor test and development environment will be subject to the same\n       monitoring tools used on any other IRS processing environment. In addition, specific\n       instructions will be sent to administrators of production environment systems directing\n       them to include a review of user access from the PRIME contractor test and development\n       environment as part of their standard system auditing activities.\n\n\nData Transfers Were Properly Encrypted\n\nThe PRIME contractor has remote access to the IRS network so it can perform much of its\nsystems development and test procedures at its offices in the MTC. The National Institute of\n                                                                                            Page 5\n\x0c                       Monitoring of PRIME Contractor Access to Networks\n                                 and Data Needs to Be Improved\n\n\n\nStandards and Technology has determined that sensitive data should be encrypted if they are\nvulnerable to unauthorized disclosure. IRS policy requires that encryption shall be used for\ntransmitting sensitive but unclassified information among IRS facilities and between the IRS and\nother facilities.\nWe determined the data link between the PRIME contractor\xe2\x80\x99s offices and the IRS was properly\nencrypted. We confirmed the software needed to encrypt and decrypt data transmitted between\nthe two sites was in place and functioning. As a result, the risk that data being transmitted\nbetween them could be intercepted was adequately reduced.\n\n\nPhysical Security at the Maryland Technology Center Was Adequate\n\nWe reviewed the adequacy of physical security at the MTC by inspecting all closets and work\nareas to determine whether they were secure and accessible only to authorized individuals. The\nIRS requires that access to secure areas be closely monitored to prevent access by unauthorized\npersonnel. Access to these areas was controlled by the use of keycards and security cameras on\neach floor containing IRS hardware.\nOur test of the external perimeter of the facility showed the following three security weaknesses:\n   \xe2\x80\xa2   The security guards did not request identification or ask that vendors sign in and out at\n       the front gate when entering or exiting the facility.\n   \xe2\x80\xa2   The door to the MTC docking area leading into the facility was ajar.\n   \xe2\x80\xa2   A door adjacent to the docking area leading into the facility was ajar.\nWe informed MTC security personnel of these conditions and explained that a person with\nmalicious intentions could enter through the front gate without being documented and proceed\nfrom the docking area into the MTC facility. The security personnel concurred with our\nassessment and immediately began a logging procedure for guests and vendors entering through\nthe front gate area. In addition, an alarm was installed on the door leading to the docking area\nthat would activate when the door was inappropriately accessed. With these changes in place,\nwe found that physical security at the MTC was adequate. No other corrective actions are\nrecommended.\n\n\n\n\n                                                                                            Page 6\n\x0c                          Monitoring of PRIME Contractor Access to Networks\n                                    and Data Needs to Be Improved\n\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether Internal Revenue Service (IRS)\nmanagement implemented adequate controls over the PRIME contractor\xe2\x80\x99s1 access to IRS\nnetworks and data. We evaluated the hardware and software access privileges, authentication\nrequirements, audit trail collection and review, and security of connections between the PRIME\ncontractor and the IRS computer systems. We also evaluated the physical security for one\ncontractor-owned work facility that contained a computer network with access to the IRS\nenterprise network. We also followed up on prior recommendations contained on our report\ndated March 2004.2 Specifically, we:\nI. Determined whether the PRIME contractor\xe2\x80\x99s access permissions to IRS networks were\n   limited to those employees who needed it to execute their responsibilities.\n    A. For Calendar Year 2004, determined whether user access was authorized by verifying\n       whether each contractor employee assigned to two specific applications had an\n       Information System User Registration/Change Request (Form 5081) on file for the\n       system on which he or she was listed as a user. We chose the two applications because\n       they were accessed most frequently by contractor personnel during Calendar Year 2004.\n    B. Obtained a listing from the system administrator of users on the system who have not\n       accessed the system within 45 days and 90 days. We determined whether the accounts\n       were automatically locked.\n    C. Determined the IRS\xe2\x80\x99 and the PRIME contractor\xe2\x80\x99s role in granting network access to the\n       PRIME contractor.\n        1. Determined how the appropriate managers verify that the required background\n           investigation has been initiated or completed.\n        2. Determined whether an Online Form 5081 was used and if this was mandatory, the\n           contractor\xe2\x80\x99s access privileges were correct, and anyone in the IRS questioned the\n           contractor\xe2\x80\x99s need for administrative privilege.\n\n\n\n\n1\n  The PRIME contractor is the Computer Sciences Corporation, which heads an alliance of leading technology\ncompanies brought together to assist with the IRS\xe2\x80\x99 efforts to modernize its computer systems and related\ninformation technology.\n2\n  Insufficient Contractor Oversight Put Data and Equipment at Risk (Reference Number 2004-20-063, dated\nMarch 2004).\n\n                                                                                                       Page 7\n\x0c                           Monitoring of PRIME Contractor Access to Networks\n                                     and Data Needs to Be Improved\n\n\n\n        3. Determined how a system administrator knows when to remove system access for a\n           separated or transferred contractor employee.\nII. Determined the extent of the IRS\xe2\x80\x99 review of audit logs of contractor-used computers at the\n    two locations, the Maryland Technology Center (MTC)3 and the Martinsburg Computing\n    Center.4\n    A. Determined who performed the review of audit logs of PRIME contractor computers and\n       how often the reviews were performed.\n    B. Attempted to secure copies of any reports on audit logs for computers used by PRIME\n       contractor employees; any reports showing the corrective actions taken because of the\n       monitoring of the audit logs; and any incident reports that were elevated to a higher level\n       of management or to the IRS Computer Systems Incident Response Center, which\n       provides assistance and guidance in incident response and provides a centralized\n       approach to incident handling across the IRS enterprise. The IRS could not provide any\n       of the audit log reports.\nIII. Determined the level of physical security at the MTC using the National Institute of\n     Standards and Technology (NIST) Security Self-Assessment Guide for Information\n     Technology Systems (Special Publication 800-26).5\n    A. Determined whether access to facilities was controlled through the use of guards,\n       identification badges, and entry devices such as key cards, biometrics, and locks;\n       management periodically reviewed the list of persons with physical access to the facility;\n       emergency exit and reentry procedures ensured only authorized personnel were allowed\n       to reenter after fire drills, etc.; and visitors to sensitive areas were required to sign in and\n       were escorted.\n    B. Determined whether physical accesses were monitored through audit trails, apparent\n       security violations were investigated and remedial actions taken, and suspicious access\n       activity was investigated and appropriate actions were taken.\n    C. Determined whether visitors, contractors, and maintenance personnel were authenticated\n       with preplanned appointments and identification checks.\n\n\n\n\n3\n  The MTC, located adjacent to the New Carrollton Federal Building in New Carrollton, Maryland, is the principal\nsite at which the PRIME contractor develops and tests systems being developed to support the IRS\xe2\x80\x99 modernization\nefforts.\n4\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n5\n  The NIST, under the Department of Commerce, is responsible for developing standards and guidelines for\nproviding adequate information security for all Federal Government agency operations and assets.\n\n                                                                                                         Page 8\n\x0c                      Monitoring of PRIME Contractor Access to Networks\n                                and Data Needs to Be Improved\n\n\n\nIV. Determined whether data transfers between the IRS and the PRIME contractor were\n    encrypted and adequately secured.\n   A. Verified the methods used to transfer data files between the IRS network and PRIME\n      contractor personnel by physically observing file transfers.\n   B. Ascertained the protocols used and obtained an explanation of the security features of\n      those protocols.\n\n\n\n\n                                                                                        Page 9\n\x0c                      Monitoring of PRIME Contractor Access to Networks\n                                and Data Needs to Be Improved\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nStephen R. Mullins, Director\nGerald Horn, Audit Manager\nDavid Brown, Senior Auditor\nWilliam Lessa, Senior Auditor\nThomas Nacinovich, Senior Auditor\nWilliam Simmons, Senior Auditor\nStasha Smith, Senior Auditor\n\n\n\n\n                                                                                         Page 10\n\x0c                     Monitoring of PRIME Contractor Access to Networks\n                               and Data Needs to Be Improved\n\n\n\n                                                                 Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner- Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Service and Enforcement SE\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance and Security Services OS:MA\n       Director, Procurement OS:A:P\n\n\n\n\n                                                                         Page 11\n\x0c       Monitoring of PRIME Contractor Access to Networks\n                 and Data Needs to Be Improved\n\n\n\n                                                 Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 12\n\x0cMonitoring of PRIME Contractor Access to Networks\n          and Data Needs to Be Improved\n\n\n\n\n                                                    Page 13\n\x0cMonitoring of PRIME Contractor Access to Networks\n          and Data Needs to Be Improved\n\n\n\n\n                                                    Page 14\n\x0cMonitoring of PRIME Contractor Access to Networks\n          and Data Needs to Be Improved\n\n\n\n\n                                                    Page 15\n\x0cMonitoring of PRIME Contractor Access to Networks\n          and Data Needs to Be Improved\n\n\n\n\n                                                    Page 16\n\x0cMonitoring of PRIME Contractor Access to Networks\n          and Data Needs to Be Improved\n\n\n\n\n                                                    Page 17\n\x0c'